feat: opt-in non-authoritative project metadata#40
Merged
Conversation
Add use_authoritative_project_metadata variable (default: true) to let users switch from google_compute_project_metadata (authoritative) to per-key google_compute_project_metadata_item resources. Existing deployments see no change on upgrade. Users who share the GCP project with other metadata sources can opt in by setting the variable to false and running the documented state migration. Co-authored-by: Ona <no-reply@ona.com>
Move migration docs to public Ona documentation instead of the module README. Shorten the variable description to one sentence. Co-authored-by: Ona <no-reply@ona.com>
Collaborator
Author
|
@carolinetaymor-qz Thanks for this suggestion! |
easyCZ
pushed a commit
that referenced
this pull request
May 21, 2026
feat: opt-in non-authoritative project metadata
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
google_compute_project_metadatais authoritative — it manages all project-level metadata. Keys not declared in this module are removed onterraform apply. This is disruptive for users who share the GCP project with other metadata sources (SSH keys, other Terraform modules, etc.).PR #24 attempted to fix this by switching to
google_compute_project_metadata_item, but that broke existing deployments on upgrade (PR #33 reverted it).Fix
Add a
use_authoritative_project_metadatavariable (default:true) that lets users opt into per-keygoogle_compute_project_metadata_itemresources when ready.true(default): existing behavior, no change on upgradefalse: per-key items that only manageenable-osloginandgitpod-runner-id, leaving other project metadata untouchedMigration docs (state rm + import steps) are added to the public GCP runner setup docs in a separate PR.
Changes
variables.tf: newuse_authoritative_project_metadatabool variablerunner-vm.tf:count-gated toggle betweengoogle_compute_project_metadataandgoogle_compute_project_metadata_itemAddresses feedback from #33.